Security News > 2023 > August > New "Whiffy Recon" Malware Triangulates Infected Device Location via Wi-Fi Every Minute

The SmokeLoader malware is being used to deliver a new Wi-Fi scanning malware strain called Whiffy Recon on compromised Windows machines.

"The new malware strain has only one operation. Every 60 seconds it triangulates the infected systems' positions by scanning nearby Wi-Fi access points as a data point for Google's geolocation API," Secureworks Counter Threat Unit said in a statement shared with The Hacker News.

Since 2014, the malware has been offered for sale to Russian-based threat actors.

Whiffy Recon works by checking for the WLAN AutoConfig service on the infected system and terminating itself if the service name doesn't exist.

"Who, or what, is interested in the actual location of an infected device? The regularity of the scan at every 60 seconds is unusual, why update every minute? With this type of data a threat actor could form a picture of the geolocation of a device, mapping the digital to the physical."

The second phase of the attack involves scanning for Wi-Fi access points via the Windows WLAN API every 60 seconds.

News URL

https://thehackernews.com/2023/08/new-whiffy-recon-malware-triangulates.html